Rapid7 Blog

Microsoft Patch Tuesday - November 2011

POST STATS:

SHARE

November's Microsoft Patch Tuesday contains four bulletins: one “critical”, two “importants”, and one “moderate”. The majority of these bulletins relate to Microsoft's later versions of the OS, implying that the flaws they address were possibly introduced with Windows Vista. Generally more vulnerabilities are found in earlier versions of the OS, so this month is unusual.

The critical bulletin – MS11-083 – is a TCP/IP based, specifically UDP, vulnerability which affects Vista, Windows 7, Server 2008, and Server 2008. This vulnerability can be used for a Denial of Service attack at the minimum, and worst case, remote code execution, though this hasn't been seen yet. With more eyes on this bulletin now though, I certainly think that more researchers will try to actualize that theory.

Regarding denial of service, this is the preferred weapon of choice of many hacktivist organizations, and they would likely love to be able to launch mass DoS attacks related to this flaw. This flaw could affect any service, not just web servers, which would be better than the garden variety DoS attack. Bottom line: since this is a core flaw in how the systems process UDP traffic, any computer running it should get this patched as soon as possible. This would also be a good time to revisit firewall configurations to ensure you are blocking unnecessary ports. Many organizations make the mistake of leaving ports open for UDP and TCP, although many times TCP services don't require both.

MS11-085 is a vulnerability in Windows Mail and Meeting Space, which affects a smaller number of organizations, but is also a possible vector for remote code execution by enticing users to click on malicious files. This attack would be used as part of a social engineering campaign. This should be next in line to patch after the critical.

MS11-086 affects enterprises running Active Directory, and has the potential for privilege escalations. This bulletin affects all modern Microsoft Windows platforms. There are so many requirements related to this vulnerability that I think it would be difficult to exploit in the wild.

MS11-084 is Windows Kernel-Mode Driver-related and could be leveraged by an attacker to cause a Denial of Service. This vulnerability is related to TrueType font formats, which could confuse some because the Duqu malware used a similar flaw. This bulletin is not related to Duqu.

As we suspected, the Duqu-related vulnerability will not be patched today. I advise organizations to utilize the workaround recommended by Microsoft until a patch comes out. Organizations should pay attention to see if Microsoft issues an out-of-cycle update to patch the vulnerability. If that doesn't happen, I suspect that Microsoft will try to aim for December's Patch Tuesday.

If you have any Patch Tuesday or general patching questions or stories, feel free to share them below.

SHARING IS CARING

AUTHOR

Want more? Don’t miss these posts

I am a member of the product management team at Rapid7, and I am responsible for the user experience across all our products. One of my ongoing efforts is to bring our product development team closer to our users. In the upcoming release of Nexpose,…

Today we're releasing w3af's 1.1 version which includes the following changes:Considerably increased performance by implementing gzip encodingEnhanced embedded bug report system using Trac's XMLRPCFixed hundreds of bugsFixed critical bug in auto-update featureEnhanced integration with other tools (bug fixed and added more info to…

Featured Research

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Toolkit

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Featured Research

Rapid7’s Quarterly Threat Report leverages intelligence from our extensive network—including the Insight platform, managed detection and response engagements, Project Sonar, Heisenberg Cloud, and the Metasploit community—to put today’s shifting threat landscape into perspective. It gives you a clear picture of the threats that you face within your unique industry, and how those threats change throughout the year.